Re: [pkix] Syntax of Subject Alternative Names field in a certificate
Denis <denis.ietf@free.fr> Tue, 16 April 2024 16:52 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2778BC14F6FD for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 09:52:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.335
X-Spam-Level:
X-Spam-Status: No, score=-5.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-3.441, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acTPg_55OD-k for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 09:52:17 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA764C14F69B for <pkix@ietf.org>; Tue, 16 Apr 2024 09:52:16 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 2C586780502; Tue, 16 Apr 2024 18:52:12 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------AABc6mDmBRzXrJZpZ9bRGa8t"
Message-ID: <9703694c-2672-7772-b405-50b9d039de57@free.fr>
Date: Tue, 16 Apr 2024 18:52:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
To: Michael StJohns <msj@nthpermutation.com>
References: <BY1PR15MB6150E0A016987E14C1991B40EF082@BY1PR15MB6150.namprd15.prod.outlook.com> <BY1PR15MB6150B48C505432B45AC299F5EF082@BY1PR15MB6150.namprd15.prod.outlook.com> <4bc8e888-232a-4298-b10f-441ce7d41e7a@nthpermutation.com>
Cc: pkix@ietf.org
From: Denis <denis.ietf@free.fr>
In-Reply-To: <4bc8e888-232a-4298-b10f-441ce7d41e7a@nthpermutation.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/251ibj5lF8CS4gYKZZrxLhMSXCc>
Subject: Re: [pkix] Syntax of Subject Alternative Names field in a certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 16:52:21 -0000
Hi Andreas, The general syntax is here: https://www.alvestrand.no/objectid/2.5.29.17.html It has been originally defined by ISO / ITU-T, i.e., not by the IETF. Denis > Hi Andreas - > > You appear to be asking about how to make Openssl issue a cert with an > SAN. That's not a topic for this list. > > This list is about IETF standards in the Public Key Infrastructure > field of use. If you have a question about the ASN1 that goes into > making an SAN OtherName, that would be more appropriate for this list. > > I'd suggest referring your questions to the OpenSSL community, or > going to the repository and reading the code directly. > > Good luck - Mike > > > On 4/16/2024 8:12 AM, Andreas Maier wrote: >> >> Hi, I am trying to understand what the syntax is for the string value >> of the Subject Alternative Names field, particularly when it contains >> multiple entries. >> >> I was hopeful to find that in >> https://datatracker.ietf.org/doc/html/rfc5280 which as a section >> 4.2.1.6 >> <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6> >> “Subject Alternative Name” but I could not get that out of the syntax >> description in there. I can find examples which seem to suggest it is >> a comma-separated list of items, each of which has a type indicator >> (e.g. “DNS”), as in:|DNS:{hostname1},IP:{ip2},email:{email},URI:{uri4}| >> >> Some sources for the examples: >> >> * https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html >> * https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html >> <https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html> >> * https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/ use: >> >> Where is the syntax of the Subject Alternative Names field documented >> in an RFC? >> Are the type indicators mandatory or optional? >> >> Kind regards, >> >> Andy >> >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Syntax of Subject Alternative Names field … Andreas Maier
- Re: [pkix] Syntax of Subject Alternative Names fi… Jeffrey Walton
- Re: [pkix] Syntax of Subject Alternative Names fi… Michael StJohns
- Re: [pkix] Syntax of Subject Alternative Names fi… Denis
- Re: [pkix] Syntax of Subject Alternative Names fi… George Michaelson